Data Protection Policy
Effective Date: 01 January 2025
Last Updated: 18 February 2026
At Acrux Education, we are committed to safeguarding personal data and complying with applicable data protection laws in the jurisdictions in which we operate, including the Privacy Act 1988 (Australia), UK GDPR, and Singapore’s Personal Data Protection Act 2012 (PDPA).
This policy describes how we collect, use, store, and protect personal information when you use our products and services.
1. Who We Are
Acrux Education (“we”, “us”, “our”) provides a secure digital platform that enables schools and educators to manage assessments, track progress, and deliver educational outcomes.
Our platform is used by authorised school staff to administer and review assessments, manage student records, and access insights into teaching and learning.
Depending on context, we act as either:
a Data Processor when handling data on behalf of schools, or
a Data Controller for account-level and operational data
2. Data We Collect and Process
We collect and process the following categories of personal information:
a. Teacher Information
Full name and email address
Role and affiliated school
Subjects taught and class assignments
Login and usage activity (e.g. last login, page views)
Support tickets and communications
b. Student Information (provided by schools)
Full name and national student identifier
Class enrollment and assessment records
Assessment responses and associated metadata
Marking and grading outcomes
Derived analytics data (e.g. performance trends, error types)
c. Analytics and AI-processed Data
To support insight reporting and AI-based marking, we generate and store analytics based on student responses.
All large-scale analysis and AI training uses anonymised data with UUIDs in place of personal identifiers.
We do not collect student data directly. All student information is provided and managed by authorised school staff.
3. Purpose of Processing
We process personal data for the following purposes:
To provide secure access to the Acrux platform for authorised school staff
To manage user accounts, classes, and teaching assignments
To deliver, store, and assess student work and results
To facilitate automated marking and feedback using AI tools
To generate performance analytics and progress insights for teachers and schools
To support large-scale anonymised research and product improvement
To respond to technical support queries and operational communications
To comply with legal obligations and education data standards
Where possible, we use pseudonymised or anonymised data (e.g., UUIDs) when conducting analytics or research beyond the direct provision of school services.
4. Lawful Basis for Processing
We process personal data based on the following lawful grounds:
Contractual necessity – to provide our services to schools and their authorised staff
Legitimate interest – to operate and improve our platform, ensure security, and conduct research and development
Legal obligation – to comply with applicable laws, including education regulations and privacy legislation
Consent – where required, such as for receiving product updates or marketing communications
For student data, we act solely under the authority of schools and process such data only in accordance with their instructions.
5. How We Store and Protect Data
Data is hosted in secure, access-controlled environments on Google Cloud Platform (GCP). Data is stored in the cloud region that aligns with the school's jurisdiction:
Australian schools: hosted in Sydney (australia-southeast1)
New Zealand schools: hosted in Sydney, Australia (australia-southeast1) under the cross-border transfer arrangements described in §6 below
United Kingdom schools: hosted in the United Kingdom (europe-west2)
Singapore schools: hosted in Singapore (asia-southeast1)
Each region operates as an independent instance - student and school data does not cross between regions.
We apply:
Encryption at rest and in transit
Role-based access control (RBAC)
Regular vulnerability assessments
Audit logs and incident response protocols
6. Data Sharing and Transfers
We may share data with trusted third parties under strict controls and only for legitimate operational or research purposes. These include:
Cloud infrastructure providers (e.g. Google Cloud Platform) for hosting, storage, and security
Internal staff and subcontractors under confidentiality agreements
Legal and regulatory authorities when required by law
Research institutions and universities for approved studies using fully anonymised datasets, with no identifying student or school information
Cross-border data transfers are protected by the following lawful mechanisms:
New Zealand to Australia: Permitted under the New Zealand Privacy Act 2020 cross-border provisions, on the basis that Australia provides comparable safeguards under the Australian Privacy Act 1988
Australia to overseas sub-processors: Australian Privacy Principle 8.1 for overseas disclosure, with contractual safeguards in place
United Kingdom to overseas sub-processors: Standard Contractual Clauses (SCCs) under UK GDPR, or transfer to an adequacy-listed jurisdiction
Singapore to overseas sub-processors: Personal Data Protection Act 2012 Sections 26–28 for international transfers
We do not sell or monetise any data, and no personal information is used for advertising or profiling.
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes outlined in this policy or to comply with legal and contractual obligations.
Teacher and staff data: retained for the duration of the account + 12 months
Identifiable student data (e.g. names, student ID, assessment submissions): retained for the duration of a student’s enrolment at the school or as directed by the school
Anonymised student data (e.g. answer patterns, assessment analytics, AI training data): retained indefinitely for research and system improvement purposes. This data is fully anonymised and cannot be linked back to an individual.
When a school requests data deletion, we will:
Delete all identifiable data associated with the request
Retain only anonymised data, where such data cannot be used to re-identify any student or user
All deletion actions are logged and confirmed back to the requesting school.
8. Your Rights
Depending on your jurisdiction, you may have certain rights regarding your personal data, such as:
The right to access, correct, or delete personal data
The right to restrict or object to processing
The right to request a copy of your data (data portability)
For teachers and school staff, you may contact us directly at [email protected] to exercise these rights.
For student data, all requests must be made through the student’s school. As a data processor, we are not permitted to act on direct student or parent requests unless instructed by the school.
We will assist schools with any data-related requests they submit on behalf of students or staff. We aim to respond to all valid requests within 30 days.
9. Children’s Data
Our platforms are designed for use by schools and educators. Students do not create accounts or directly interact with the platform. All student data is provided by authorised school staff.
We process student data only under contractual agreements with schools and in accordance with their instructions.
10. Privacy Officer and Data Protection Officer (DPO)
Dr Leanne Russell is Acrux Education's Privacy Officer for all jurisdictions in which we operate, and holds the role of Data Protection Officer where required under UK GDPR.
📧 General privacy enquiries: [email protected]
📧 GDPR-specific contact: [email protected]
We acknowledge privacy requests within 5 business days and provide a substantive response within 30 days. For student data, requests must be made through the student's school per Section 8 of this policy.
11. Updates to This Policy
We may update this policy from time to time. Material changes will be communicated via the platform or email. The latest version is always available at www.acrux.education.